Here’s your weekly #databreach news roundup:

Sumo Logic, McLaren Health Care, Mr. Cooper, Electric Ireland, Maine Residents, TransForm and Marina Bay Sands (MBS).

Maine Residents

  • What happened?
    • The Maine government confirmed a significant data breach in which personal information of over a million individuals was stolen by a Russia-linked ransomware gang.
  • How did it occur?
    • Hackers exploited a vulnerability in the MOVEit file-transfer system used by the state, which stored sensitive resident data. The breach occurred between May 28 and May 29.
  • Types of Data Stolen:
    • Stolen information may include names, birth dates, Social Security numbers, driver’s license details, state/taxpayer IDs, and medical and health insurance information.
  • Agencies Affected:
    • Over half the data relates to Maine’s Department of Health and Human Services and about a third to the Department of Education. Other affected agencies include the Bureau of Motor Vehicles and Department of Corrections.
  • Extent of the Breach:
    • It’s unclear how recent the stolen data is or the specific years it covers. The breach affected not just residents but also out-of-state individuals.
  • Resident Impact:
    • Of those affected, 534,194 are state residents, which is around 40% of all individuals impacted.
  • Context of the Breach:
    • This incident is part of a larger MOVEit system hack, considered one of the largest of the year by victim count. MOVEit, used globally for secure data transfers, had a vulnerability that was exploited by cybercriminals, notably the Clop ransomware gang.
  • Global Impact:
    • Over 2,500 organizations have reported MOVEit-related breaches, affecting at least 69 million people globally.
  • Clop Ransomware Gang:
    • Clop, a Russian-speaking ransomware group, is known for similar mass-hacking incidents. They have not yet listed Maine among their publicly disclosed victims. Ransomware gangs like Clop often threaten to publish stolen data to extort victims.

McLaren Health Care

McLaren Health Care
What happened?
  • McLaren Health Care, a non-profit healthcare system, experienced a data breach affecting approximately 2.2 million people. The breach occurred between late July and August of this year, exposing sensitive personal information.
How did it occur?
  • The breach was identified on August 22, 2023, with investigations revealing that McLaren’s systems had been compromised since July 28, 2023. An unauthorized threat actor accessed data on August 31.
Types of Data Stolen:
  • Exposed data includes full names, Social Security numbers, health insurance information, dates of birth, billing or claims information, diagnoses, physician information, medical record numbers, Medicare/Medicaid information, prescription/medication information, and diagnostic results and treatment information.
Organizational Profile:
  • McLaren has an annual revenue of $6.6 billion and encompasses 14 hospitals in Michigan with a total bed capacity of 2,624, supported by 490 physicians. It employs 28,000 full-time staff and maintains contractual relationships with 113,000 providers.
Resident Impact:
  • The specific types of data exposed vary per individual, depending on their interactions and services received from McLaren.
Mitigation Efforts:
  • Impacted individuals are being notified via email and offered 12 months of identity protection services. McLaren urges caution against unsolicited communications and advises monitoring financial and account statements.
Context of the Breach:
  • While McLaren has not disclosed many details, the ALPHV/BlackCat ransomware group claimed responsibility for an attack on McLaren’s network on October 4.
Organizational Response:
  • McLaren reported the intrusion to U.S. authorities and published a statement on its website. They have not found evidence of misuse of the exposed data but recommend vigilance in monitoring financial activities and reporting unusual activity.

Mr. Cooper

Mr. Cooper
What happened?
  • Mr. Cooper, a major mortgage and loan provider serving over four million customers, confirmed that customer data was compromised during a recent cyberattack.
Current State of Investigation:
  • The company is still investigating the extent of data exposure and the nature of the cyberattack. Specific details about the type of data compromised are not yet clear.
Security Measures and Information Storage:
  • Mr. Cooper clarified that banking information related to mortgage payments is not stored on their systems but with a third-party provider. They believe this information was not affected by the incident.
Customer Communication:
  • Mr. Cooper plans to send mail notices to affected customers in the coming weeks.
System Outage and Response:
  • The company’s systems have been experiencing outages for over a week. The cyberattack occurred on October 31, and the company disclosed it two days later. In response, they shut down their systems to limit the attack’s impact.
Customer Impact:
  • Several customers reported being unable to log into their accounts due to the system outage caused by the cyberattack.
Financial Implications:
  • In a filing with the U.S. Securities and Exchange Commission, Mr. Cooper anticipates up to $10 million in additional vendor costs in the fourth fiscal quarter. However, they do not expect this incident to materially impact their business.
Public Relations and Communication:
  • Mr. Cooper’s spokesperson Christen Reyenga directed inquiries to a third-party PR firm, which reiterated the company’s public statement without addressing specific questions. The company declined to make CISO Scot Miller available for an interview as requested by TechCrunch, and there is no information on whether the company has received any communication from the hackers.

Electric Ireland

Incident Overview:
  • Electric Ireland, an energy supplier, has experienced a suspected data breach, affecting customers who have used debit and credit cards to pay their energy bills.
Customer Advisory:
  • Customers are advised to cancel the debit and credit cards used for payments and to monitor their accounts for suspicious activity. Those who used bank accounts for payment should review their bank statements since October 2021 for signs of hacking.
Breach Details:
  • An individual at a call center used by Electric Ireland reportedly accessed the financial and other personal details of approximately 8,000 customers. This includes names, addresses, email, phone numbers, dates of birth, and bank account details (IBAN).
  • The Gardaí (Irish police) are investigating the breach. Electric Ireland is liaising with An Garda Síochána and the Data Protection Commissioner. The details of the case are confidential due to the ongoing investigation.
Communication with Customers:
  • Electric Ireland has written to the 8,000 potentially impacted customers, informing them about the breach and advising them on actions to mitigate the risk of financial fraud.
Non-affected Customers:
  • Customers who have not received a letter from Electric Ireland are not required to take any action.
Company Response:
  • Electric Ireland, which serves around 1.1 million customers, acknowledges the seriousness of the issue. They have requested that customers experiencing any fraudulent activity contact them directly.
Previous Incidents:
  • Electric Ireland has had previous issues, including overcharging customers due to billing errors with smart meters. They have issued apologies and refunds for these errors.

Sumo Logic

Sumo Logic
Incident Discovery:
  • Sumo Logic, a security and data analytics firm, reported a breach in its AWS (Amazon Web Services) account, discovered on November 3.
Breach Details:
  • The breach occurred when an attacker used stolen credentials to access a Sumo Logic AWS account. However, Sumo Logic’s systems and networks were not directly impacted, and customer data remains encrypted and secure.
Immediate Response:
  • Following the breach detection, Sumo Logic secured the exposed infrastructure and rotated all potentially exposed credentials as a precautionary measure.
Ongoing Investigation and Security Measures:
  • The company is thoroughly investigating the incident’s origin and extent. They have identified the potentially exposed credentials and implemented enhanced security measures, including increased monitoring and addressing vulnerabilities.
Customer Advisory:
  • Sumo Logic advised its customers to rotate their API keys and other credentials, including:
    • Sumo Logic installed collector credentials.
    • Third-party credentials stored with Sumo for data collection.
    • Credentials related to webhook connection configuration.
    • User passwords for Sumo Logic accounts.
Company Commitment and Communication:
  • Sumo Logic emphasizes its commitment to digital security and will directly notify customers if evidence of malicious access to their accounts is found. Customers can find updates at the company’s Security Response Center.
Business Profile:
  • Sumo Logic operates a cloud-native SaaS analytics platform, offering services like log analytics, infrastructure monitoring, and cloud infrastructure security.


TransForm Ransomware Attack Summary Incident Overview:
  • TransForm, a shared service provider for hospitals in Ontario, Canada, suffered a ransomware attack that impacted operations in multiple hospitals. The attack occurred in late October.
Data Compromise:
  • The attackers stole a database with details of 5.6 million patient visits, affecting approximately 267,000 unique individuals.
Organization Profile:
  • TransForm is a non-profit organization, founded by five Erie St. Clair hospitals, handling IT, supply chain, and accounts payable services.
Affected Hospitals:
  • The cyberattack affected five hospitals under TransForm’s umbrella, including Bluewater Health. The hospitals experienced operational disruptions, leading to rescheduled appointments and redirected non-emergency cases.
Attackers and Data Leak:
  • The DAIXIN Team claimed responsibility for the attack. They started leaking data samples from the hospitals’ networks, expressing interest in selling the data rather than continuing the leak.
Response to Ransom Demand:
  • TransForm confirmed the ransomware attack and the data exfiltration but stated they would not pay the ransom.
Impact on Hospitals:
  • The impact varied among hospitals:
    • Bluewater Health: 5.6 million patient visits (267,000 unique patients), without clinical records.
    • Chatham-Kent Health Alliance: Data on 1,446 hospital employees, including sensitive personal information.
    • Erie Shores HealthCare: Data on 352 current and past employees.
    • Windsor Regional Hospital: Limited patient data, including names and medical condition summaries.
    • Hôtel-Dieu Grace Healthcare: Patient data, currently under analysis.
Ongoing Investigation:
  • TransForm is still investigating the exact contents of the stolen files. They promise regular updates on the investigation’s progress and are asking for patience due to the time-consuming nature of determining the full impact.

Marina Bay Sands (MBS)

Marina Bay Sands
Incident Overview:
  • Marina Bay Sands (MBS), a luxury resort and casino in Singapore, disclosed a data breach affecting the personal data of approximately 665,000 customers.
Discovery and Timing:
  • The breach was discovered on October 20, 2023. Unauthorized access occurred on October 19 and 20, 2023, specifically targeting the MBS loyalty program members’ data.
Affected Data:
  • The exposed information includes names, email addresses, mobile phone numbers, phone numbers, countries of residence, and loyalty program membership numbers and tiers.
Risk and Potential Misuse:
  • The breach poses risks for targeted scams, phishing, and social engineering attacks against MBS customers.
Scope of Impact:
  • The breach seems to be confined to non-casino rewards program members, with no current evidence suggesting that casino members (Sands Rewards Club) are affected.
Customer Notification:
  • MBS is informing customers whose data was compromised about the breach and its impact through individual notifications.
Response to Incident:
  • Following the discovery, MBS reported the incident to authorities in Singapore and other relevant countries.
Investigation and Uncertainty:
  • The full scope of the attack remains unclear. It is suspected that the intrusion could be related to a ransomware attack, where threat actors steal data and extort money from the victim. However, no ransomware group has claimed responsibility for the attack as of now.
Official Communication:
  • Marina Bay Sands has not provided additional information beyond the official statement, and their spokesperson declined to comment further when contacted by BleepingComputer.